The genetic testing company 23andMe has filed for bankruptcy, prompting people who’ve used the service and sent in DNA samples to be analyzed to wonder what will happen to their genetic data.

The company says the filing does not change how it stores, manages or protects customer data. But some privacy experts are recommending that people who have used 23andMe delete their data, given concerns not only about a potential buyer getting access to sensitive information, but also hackers who might take advantage of the upheaval to gain access to it.

“What we’re witnessing with 23andMe is a stark wake-up call for data privacy,” said Adrianus Warmenhoven, a cybersecurity expert at NordVPN. “Genetic data isn’t just a bit of personal information — it is a blueprint of your entire biological profile. When a company goes under, this personal data is an asset to be sold with potentially far-reaching consequences.”

23andMe filed for Chapter 11 bankruptcy protection on Sunday. Anne Wojcicki, who co-founded the company nearly two decades ago and has served as its CEO, stepped down effectively immediately. The San Francisco-based company said that it will look to sell “substantially all of its assets” through a court-approved reorganization plan.

Is my DNA data safe?

In a post about the Chapter 11 process, 23andMe said its users’ privacy and data are important considerations in any transaction and that any buyer will be required to comply with applicable laws when it comes to how it treats customer data.

But experts note that laws have limits — for instance, the U.S. has no federal privacy law and only about 20 states do.

There are also security concerns. For instance, the turmoil of a bankruptcy and related job cuts could leave fewer employees to protect customers’ data against hackers. It wouldn’t be the first time — a 2023 data breach exposed the genetic data of nearly 7 million customers at 23andMe, which later agreed to pay $30 million in cash to settle a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed.

Experts note that DNA data is particularly sensitive — and thus valuable.

“At a fundamental biological level, this is you and only you,” said David Choffnes, a computer science professor at Northeastern University and executive director of its Cybersecurity and Privacy Institute. “If you have an email address that gets compromised, you can find another email provider and start using a new email address. And you’re pretty much able to move on with your life without problem. And you just can’t do that with your genetic code.”

23andMe says it does not share information with health insurance companies, employers or public databases without users’ consent and with law enforcement only if required by a valid legal process, such as a subpoena. Choffnes said while that’s good, it’s a fairly narrow set of categories.

“There’s still other things that they are allowed to do with that data, including, as they mentioned, provide cross context, behavioral or targeted advertising,” he said.

How to delete data

California Attorney General Rob Bonta issued an urgent consumer alert Friday — before 23andMe filed for bankruptcy — noting the company’s financial distress and reminding people they have the right to have their data deleted.

If you have a 23andMe account, you can delete your data by logging in and going to “settings” and scrolling to a section called “23andMe Data” at the bottom of the page. Then, click “View,” download it if you want a copy then go to the “Delete Data” section and click “Permanently Delete Data.” 23andMe will email you to confirm and you will need to follow the link in the email to confirm your deletion request.

If you previously asked 23andMe to store your saliva sample and DNA, you can also ask that it be destroyed by going to your account settings and clicking on “Preferences.” And you can withdraw consent to third-party researchers to use your genetic data and sample under “Research and Product Consents.”